{{- if .Values.cni.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "kuma.name" . }}-cni
  namespace: {{ .Values.cni.namespace }}
  labels: {{ include "kuma.cniLabels" . | nindent 4 }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
  {{- range . }}
  - name: {{ . | quote }}
  {{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "kuma.name" . }}-cni
  labels:
  {{ include "kuma.cniLabels" . | nindent 4 }}
rules:
  - apiGroups: [""]
    resources:
      - nodes
    verbs:
      - get
  - apiGroups: [""]
    resources:
      - pods
    verbs:
      - get
      {{- if .Values.experimental.ebpf.enabled }}
      - list
      - watch
      {{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "kuma.name" . }}-cni
  labels:
  {{ include "kuma.cniLabels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "kuma.name" . }}-cni
subjects:
  - kind: ServiceAccount
    name: {{ include "kuma.name" . }}-cni
    namespace: kube-system
  {{- end }}
